Opened 4 years ago

Closed 4 years ago

#693 closed Bug / Defect (fixed)

--management-external-key is broken since 2.3.3

Reported by: vk2 Owned by: Steffan Karger
Priority: major Milestone:
Component: Certificates Version: OpenVPN 2.3.11 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: management external
Cc: plaisthos

Description

Hi,

there is a bug introduced in 2.3.3 version:

int
tls_ctx_use_external_private_key (struct tls_root_ctx *ctx,
    const char *cert_file, const char *cert_file_inline)
{
  RSA *rsa = NULL;
  RSA *pub_rsa;
  RSA_METHOD *rsa_meth;
  X509 *cert = NULL;

  ASSERT (NULL != ctx);
  ASSERT (NULL != cert);

  tls_ctx_load_cert_file_and_copy (ctx, cert_file, cert_file_inline, &cert);
  ...

Second assert will always fail - because it should be moved down, after tls_ctx_load_cert_file_and_copy() which actually loads certificate.

This fix was submitted on 29 Nov 2013 to master branch (https://github.com/OpenVPN/openvpn/commit/68793f40e1d04409264d21dd24453d959828a306), but NOT to release/2.3 branch.

So all version 2.3.3-2.3.11 still suffer from this problem.

Change History (3)

comment:1 Changed 4 years ago by Gert Döring

Cc: plaisthos added
Owner: set to Steffan Karger
Status: newassigned

syzzer, plaisthos: could you have a look if I just need to cherry-pick the named commit to 2.3 to fix this? I have no idea why I didn't do this back then...

comment:2 Changed 4 years ago by Steffan Karger

Yes, please backport this fix.

comment:3 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

commit 5f3d28b374d4058a08753d06c675cbc589675e24
Author: Arne Schwabe <arne@…>
Date: Fri Nov 29 13:32:40 2013 +0100

Move ASSERT so external-key with OpenSSL works again

Acked-by: Steffan Karger <steffan.karger@…>
Message-Id: <1385728360-32127-1-git-send-email-arne@…>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8069

trac #693

Signed-off-by: Gert Doering <gert@…>
(cherry picked from commit 68793f40e1d04409264d21dd24453d959828a306)

will be part of 2.3.12, to be released "soonish" (it was due some 4 weeks ago but got delayed to lack of review/agreement on a few things)

Note: See TracTickets for help on using tickets.